Why does the WinRM service require administrator privileges for initial configuration, and how can an attacker still exploit it with low privileges?

Initial WinRM configuration (e.g., `winrm quickconfig` or changing the listener port) requires administrator privileges because it modifies service settings and URL ACLs. However, once configured, the service runs as SYSTEM and listens on the new port, so the attacker only needs low privileges to initiate remote connections from another machine. The critical part is gaining admin rights once to set up the persistence. Alternatively, low-privilege exploitation can be achieved through the HTTP Server API, as described in the article, by using pre-existing URL ACLs like `http://+:80/Temporary_Listen_Addresses/` which do not require admin rights to listen.